Large scale Google Ads campaign targets utility software

https://www.malwarebytes.com/blog/news/2024/10/large-scale-google-ads-campaign-targets-utility-software

Fake Disney+ activation page redirects to pornographic scam
https://www.malwarebytes.com/blog/scams/2024/10/fake-disney-activation-page-redirects-to-pornographic-scam

#malvertising Obsidian

@Lee_Holmes @briankrebs for better or worse PowerShell has become somewhat associated with malicious activity (for those in the security space looking at malware).

Remote desktop applications have also inherited a bad reputation as scammers often use them.

But you are absolutely correct, getting the user to do anything at this point is the issue.

@screaminggoat @da_667 @malware_traffic adding @rmceoin

Walmart customers scammed via fake shopping lists, threatened with arrest

https://www.malwarebytes.com/blog/scams/2024/09/walmart-customers-scammed-via-fake-shopping-lists-threatened-with-arrest

Credit card 'img' skimmer domain:

trendgurupro[.]com

Part of this campaign: https://www.malwarebytes.com/blog/news/2024/08/hundreds-of-online-stores-hacked-in-new-campaign

Scammers advertise fake AppleCare+ service via GitHub repos
https://www.malwarebytes.com/blog/scams/2024/09/scammers-advertise-fake-applecare-service-via-github-repos

@Ericlaw is Internet Explorer still being used or is that the default title header?

Malicious Google Ads for Apple suport

hxxps[://]applescustomerservice24x7care1102[.]vercel[.]app/

hxxps[://]apples24x7-customersupporthelp[.]github[.]io/saf/

Malicious Google Ad for WinSCP

winscp[.]corysound[.]com
winscpp[.]net
badlink58[.]com/wp-includes/fonts/WinSCP-6.3.4.zip

Malicious Google ad for Microsoft Support

hxxps[://]microsft-customer-helpline[.]vercel[.]app

New blog: Lowe’s employees phished via Google ads

https://www.malwarebytes.com/blog/news/2024/09/lowes-employees-phished-via-google-ads

Malicious Google Ad for Cisco AnyConnect

cisco[.]com[.]gruaselpiojito[.]com[.]mx

cisco[.]com[.]gruaselpiojito[.]com[.]mx/download/cisco-secure-client-win-5[.]0[.]05040-core-vpn-predeploy-k9[.]exe

NetSupport RAT, C2: sivacycle[.]com

https://www.virustotal.com/gui/file/c432721a5077fb5232a07d9a1e23c03bee715eb9e3ac80d3bf971f1910e5215c

Fake Canva home page leads to browser lock

https://www.malwarebytes.com/blog/scams/2024/08/fake-canva-home-page-leads-to-browser-lock

@Lee_Holmes Not really, but I just started digging into this more recently so I suspect there are many variations of it.

Come to think of it, it's just a form of spam, looking for any way they can inject data into legitimate/official sources.

Malicious Google ad for Zoom

pacificfisherman[.]com
zoomi[.]company
zoomi[.]company/Zoom[.]exe

https://www.virustotal.com/gui/file/21b075ff9da7d425ad8c44c0c7104d7ca3ae9834fb539a3de840bd30a2a93db6

SocGholish/FakeUpdates

jswebcloud[.]com
premium[.]davidabostic[.]com

C2: contest[.]printondemandmerchandise[.]com

@Lee_Holmes thanks, I'm glad it's not just disabling one URL at a time, but an entire account.

Here's the larger campaign I was talking about. Not sure what MSFT can do about it, but it's a real issue: https://www.malwarebytes.com/blog/scams/2024/08/psa-these-microsoft-support-ploys-may-just-fool-you

PSA: These ‘Microsoft Support’ ploys may just fool you

https://www.malwarebytes.com/blog/scams/2024/08/psa-these-microsoft-support-ploys-may-just-fool-you